Blog

Two-factor authentication

  • 18 January 2019
  • 0 replies
  • 49 views
Two-factor authentication
Userlevel 4
Badge +2
With the upcoming release of the Thinkwise Suite G9.8, we have introduced the ability to perform two-factor authentication on users. Two-factor authentication provides an extra layer of authentication, on top of the conventional username and password, which serves to establish the identity of a user with a higher degree of certainty. Typically, two-factor authentication requires the user to prove that they are also in possession of something that only the real user should be in possession of, for instance a mobile phone. Our implementation of two-factor authentication supports the validation of phone numbers (by means of SMS) and the validation of email addresses.

Support
Two-factor authentication can only be used in applications which are managed by IAM, as IAM is the place where a user’s settings with regard to two-factor authentication can be configured. In addition, support for two-factor authentication is provided by the Web GUI and the Mobile GUI, but not by the Windows GUI. The reason for this is that it is not possible to perform client-side validation of a user’s identity claim in a secure manner.

As stated earlier, we offer support for two-factor authentication by means of SMS and by means of email. For SMS two-factor authentication, the only service that is currently support is Twilio. In order to use SMS two-factor authentication, a Twilio account and an SMS-enabled Twilio phone number are required. Information about pricing can be found here. For email two-factor authentication we offer full support for the SMTP protocol. Emails can be sent through any accessible SMTP server. Even though these are the currently supported services, our implementation is highly extensible. Extra service implementations can be added quite easily and these implementations do not need to be limited to just SMS or email services.

How does it work?
After going through the conventional login process, by means of a username and password, the user will be required to provide a validation code before being granted access to the application. The Web GUI will send the validation code to the user’s phone number or email address automatically, and will display a form where the validation code can be submitted. The Mobile GUI will display a page where a validation code can be requested manually and, upon requesting the validation code, will also show a form where the validation code can be submitted. Access to the application will be granted after submitting a correct validation code.


Mobile GUI – Requesting a validation code


Mobile GUI – Submitting a validation code


Web GUI – Submitting the validation code


Configuring two-factor authentication for a user
To configure a user in IAM to use two-factor authentication, a new field named Two-factor authentication type is used. This field is mandatory and accepts the following values:
  • None
  • SMS
  • Email
By default, all existing users will have been set to None. Choosing SMS or Email will turn on two-factor authentication for that user. Choosing SMS will make it mandatory to provide the user’s phone number, while choosing Email will make it mandatory to provide the user’s email address. Before configuring users to use two-factor authentication, ensure that all of requirements which are outlined in this article have been met.

Configuring SMS two-factor authentication
To use SMS two-factor authentication in the Web GUI the settings below need to be configured in the settings.ini file or in IAM. For the Mobile GUI, the settings below need to be configured in the appsettings of the Web.config file of the application service used by the Mobile GUI.


Configuring Email two-factor authentication
To use Email two-factor authentication in the Web GUI the settings below need to be configured in the settings.ini file or in IAM. For the Mobile GUI, the settings below need to be configured in the appsettings of the Web.config file of the application service used by the Mobile GUI.


Localisation
The SMS message sent to the users can be configured by means of a translation with the key two_factor_message_sms_body. The translation text must contain ‘{0}’, as this is the parameter that will be replaced by the validation code which the users can use to validate their identity.
The subject and body of the email message sent to the user can be configured by means of two translations with the keys two_factor_message_mail_subject and two_factor_message_mail_body respectively. The translation text of the body must contain ‘{0}’, as this is the parameter that will be replaced by the validation code which the users can use to validate their identity.

Example of a body translation:

Your validation code is: {0}. Please enter and submit this code in the application to continue.

0 replies

Be the first to reply!

Reply